Comments on: Gumblar .cn Exploit – 12 Facts About This Injected Script

By: Securing FTP Access on a cPanel Server :: The cPanel Admin

Securing FTP Access on a cPanel Server :: The cPanel Admin — Thu, 11 Feb 2010 17:53:13 +0000

[...] with viruses like Gumblar stealing FTP passwords and farming them out to hackers so they can upload malicious code into user files. What you end up with is a flood of complaints from users about errors on their [...]

By: Top 10 Malware Sites | Decentralization Station | Power of the cloud

Top 10 Malware Sites | Decentralization Station | Power of the cloud — Wed, 06 Jan 2010 12:35:11 +0000

[...] malware researchers reported widespread compromises pointing to the domains gumblar.cn and martuz.cn, both of which made it on [...]

By: Malicious Javascript Code infected my blogs - Ryan Isra, Cyberworld, Technology

Malicious Javascript Code infected my blogs - Ryan Isra, Cyberworld, Technology — Wed, 30 Dec 2009 19:44:19 +0000

[...] its name is Gumblar. You can find further information about Gumblar on Unmask Parasites Blog, Wikipedia, or ISS.net. I got alot of useful information. However, I might be infected by its [...]

By: Markusk

Markusk — Wed, 16 Dec 2009 22:14:28 +0000

If you know the date of the infection, you can easily check all files that were edited on that day.

btw, I noticed, it replaced a file called home.inc, so it probably also targets all files containing “home” in the name, additionally to “index”, “default”, etc and ALL .js files.

By: ugg outlet

ugg outlet — Sun, 13 Dec 2009 12:49:42 +0000

Make sure to check the folders “error_docs” and “httpsdocs” on your webserver!!!

The malicious code can also be found in these locations – therefore the infection will not be cured if you just upload a clean backup version of your website from a clean system unless you sanitize those locations too.

By: pratclif

pratclif — Wed, 18 Nov 2009 17:09:50 +0000

I have several sites; you rightly pont to the password security. I have like this ……

inserted before

By: ReBirth « Zero Wind – Jamie Wong

ReBirth « Zero Wind – Jamie Wong — Thu, 05 Nov 2009 05:47:29 +0000

[...] The virus that owned the old site (along with every other index.* on my webspace) was a variant of the Gumblar.cn virus http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/ [...]

By: ugg boots

ugg boots — Mon, 02 Nov 2009 09:42:37 +0000

Our site was infected 14 days ago. So we cleaned the server, installed all new with all security updates, newest php and sql version, even new joomla!.
Now, our webserver has been infected the second time… There are a lot of tutorials how to desinfect the webserver (or just clean up by deleting everything), but what is with the Computer? How can we clean possible infectet computers too? We use a SonicW… Firewall with content filter, and TrendM…

By: EL_Barto

EL_Barto — Thu, 29 Oct 2009 18:38:35 +0000

Make sure to check the folders “error_docs” and “httpsdocs” on your webserver!!!

By: Ken

Ken — Sat, 24 Oct 2009 17:51:32 +0000

As a FYI, a friend sites got hit with this with continuous re-infections. I wrote a windows service that monitored his server and while not stopping the infection it does immediately fix the infections. I have a few more days of testing but will post it at

http://reddwarfdogs.com/websitehack/ around oct 27th..